How long does it take to catch a wild kangaroo?
|
|
- Justin Smith
- 5 years ago
- Views:
Transcription
1 How long does it take to catch a wild kangaroo? Ravi Montenegro Prasad etali December 3, 008 arxiv: v1 [mathpr] 3 Dec 008 Abstract he discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x = h We give the first rigorous proof that Pollard s Kangaroo method finds the discrete logarithm in expected time (3+o(1)) b a when the logarithm x [a, b], and ( + o(1)) b a when x uar [a, b] his matches the conjectured time complexity and, rare among the analysis of algorithms based on Markov chains, even the lead constants and 3 are correct Keywords: Pollard s Kangaroo method, digital signature, discrete logarithm, Markov chain, mixing time 1 Introduction Cryptographic schemes are generally constructed in such a way that breaking them will likely require solving some presumably difficult computational problem, such as finding prime factors or solving a discrete logarithm problem Recall that the discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x = h he Diffie-Hellman key exchange, ElGamal cryptosystem, and the US government s DSA (Digital Signature Algorithm) are all based on an assumption that discrete logarithm is difficult to find A Birthday Attack is a common approach towards solving these problems, and although heuristics can be given for the time complexity of these methods, rigorous results are rare In [3] we examined one such method, namely Pollard s Rho Algorithm to find the discrete logarithm on a cyclic group G, and verified the correctness of commonly held intuition his work generated further interest among some of the experts in cryptography, and Dan Boneh [1] in particular encouraged us to analyze Pollard s Kangaroo method [5], due to its very many applications When the discrete logarithm x is known to lie in a small interval [a,b] with b a G, this algorithm is expected to improve on the Rho algorithm, with a run time averaging b a steps, versus (π/) G for the Rho algorithm In fact, for some cyclic groups the Kangaroo method is the most efficient means known for finding discrete logarithm over an interval, as Shanks baby-step giant-step method requires too much memory Among the cases in which this would be useful, Boneh and Boyen [] give a signature scheme in which a shorter signature can be transmitted if the receiver uses the Kangaroo method to determine the missing information Verification of the time complexity of the Kangaroo method (as we do Department of Mathematical Sciences, University of Massachusetts at Lowell, Lowell, MA 01854, USA ravi montenegro@umledu School of Mathematics and School of Computer Science, Georgia Institute of echnology, Atlanta, GA 3033, USA tetali@mathgatechedu; research supported in part by NSF grants DMS ,
2 here) would then make rigorous their claim that the missing bits can be efficiently constructed While the above is an application for signature communication, another natural application is in forging a signature For instance, in order to speed up computation of a signature the secret key x may be chosen from an interval [a,b] with b a G, or an attack might reveal a sequence of consecutive bits at the beginning or end of the key, in which cases the Kangaroo method can be used to find the key and forge a signature he Kangaroo method is based on running two independent sequences of hops (random walks), one starting at a known state (the tame kangaroo ) and the other starting at the unknown value of the discrete logarithm x (the wild kangaroo ) he main result of this paper will be a bound on the expected number of steps required by the kangaroos before the logarithm is determined In particular, we find that for the Distinguished Points implementation of the Kangaroo method, heorem 11 Suppose g,h G are such that h = g x for some x [a,b] he expected number of group operations required by the Kangaroo method is (3 + o(1)) b a If x uar [a,b] then the expected number of group operations is ( + o(1)) b a We show matching upper and lower bounds, so the lead constants are sharp, which is rare among the analyses of algorithms based on Markov chains Previously the first bound was known only by rough heuristic, while Pollard [6] gives a convincing but not completely rigorous argument for the second Given the practical significance of Pollard s Kangaroo method for solving the discrete logarithm problem, we find it surprising that there has been no fully rigorous analysis of this algorithm, particularly since it has been 30 years since it was first proposed in [5] Although our approach borrows a few concepts from the study the Rho algorithm in [3], such as the use of a second moment method to study the number of intersections, a significant complication in studying this algorithm is that when b a G the kangaroos will have proceeded only a small way around the cyclic group before the algorithm terminates As such, mixing time is no longer a useful notion, and instead a notion of convergence is required which occurs long before the mixing time We expect that the tools developed in this paper to avoid this problem will prove useful in examining other randomized algorithms he paper proceeds as follows In Section we introduce the Kangaroo method A general framework for analysing intersection of independent walks on the integers is constructed in Section 3 his is followed by a detailed analysis for the Kangaroo method in Section 4 he Appendix contains the proof of a technical lemma used in Section 3 Preliminaries We describe here the Kangaroo method, originally known as the Lambda method for catching Kangaroos he Distinguished Points implementation of [4] is given, rather than the original implementation of [5], as the former is more efficient Problem: Given g,h G, solve for x [a,b] with h = g x Method: Pollard s Kangaroo method (with distinguished points) Preliminary Steps:
3 Define a set D of distinguished points, with D G = c for some constant c Define a set of jump sizes S = {s 0,s 1,,s d } We consider powers of two, S = { k } d k=0, with d = log b a + log log b a chosen so that elements of S average Finally, a hash function F : G S he Algorithm: Let X 0 = a+b, Y 0 = x, and d 0 = 0 Observe that g Y 0 = hg d 0 Recursively define X i+1 = X i + F(g X i ) and likewise d i+1 = d i + F(hg d i ) his implicitly defines Y i+1 = Y i + F(g Y i ) = x + d i+1 If g X i D then store the pair (g X i,x i X 0 ) with an identifier (for tame) Likewise if g Y i = hg d i D then store (g Y i,d i ) with an identifier W (for wild) Once some distinguished point has been stored with both identifiers and W, say g X i = g Y j where (g X i,x i X 0 ) and (g Y j,d j ) were stored, then X i Y j x + d j mod G = x X i d j mod G he X i walk is called the tame kangaroo because its position is known, whereas the position Y j of the wild kangaroo is to be determined by the algorithm his was originally known as the Lambda method because the two walks are initially different, but once g X i = g Y j then they proceed along the same route, forming a λ shape heorem 11 makes rigorous the following commonly used rough heuristic: Suppose X 0 Y 0 Run the tame kangaroo infinitely far Since the kangaroos have an average step size b a, one expects the wild kangaroo requires b a/ X 0 Y 0 steps to reach X 0 Subsequently, at each step the probability that the wild kangaroo lands on a spot visited by the tame kangaroo is roughly 1 p = /, so the expected number of additional steps by the wild kangaroo until a collision is then around p 1 = By symmetry the tame kangaroo also averaged p 1 steps About additional steps are required until a distinguished point is reached Since X i and Y i are incremented simultaneously the total number of steps taken is then ( ) X0 Y 0 b a + p 1 + (3 + c 1 ) b a b a/ c If Y 0 = x uar [a,b] then E X 0 Y 0 / = b a and the bound is ( + c 1 ) b a We make only two assumptions in our analysis First, that the hash F : G S is a random function, ie if g G then F(g) is equally likely to be any value in S, independent of all other F(g ) Second, that the distinguished points are well distributed with c (b a) ; either they are chosen uniformly at random, or if c = Ω(d log d) then roughly constant spacing between points will suffice he assumption on distinguished points can be dropped if we instead analyze Pollard s (slower) original algorithm, to which our methods also apply Both assumptions are made in most discussions of the Kangaroo method [7, 4, 6], and so are quite acceptable c 3
4 3 Uniform Intersection ime and a Collision Bound In order to understand our approach to bounding time until the kangaroos have visited a common location, which we call a collision, it will be helpful to consider a simplified version of the Kangaroo method First, observe by the assumption about the hash F : G S that X i and Y j are independent random walks at least until they collide, and so to bound time until this occurs it suffices to assume they are independent random walks even after they have collided Second, these are random walks on Z/ G Z, so if we drop the modular arithmetic and work on Z then the time until a collision can only be made worse hird, since the walks proceed strictly in the positive direction on Z then in order to determine the number of hops the tame kangaroo (described by X i ) takes until it meets the wild kangaroo (ie X i = Y j on Z), it suffices to run the wild kangaroo infinitely long and only after this have the tame kangaroo start hopping With these simplifications the problem reduces to one about intersection of walks X i and Y j, both proceeding in the positive direction on the integers, in which Y j proceeds an infinite number of steps and then X i proceeds some N steps until j, X N = Y j hus, rather than considering a specific probability Pr[X i = Y j ] it is better to look at Pr[ j, X i = Y j ] By symmetry, the same approach will also bound the expected number of hops the wild kangaroo requires to reach a location the tame kangaroo visits First however, because the walk does not proceed long enough to approach its stationary distribution (true on both Z/ G Z and more obviously on Z), alternate notions resembling mixing time and a stationary distribution will be required Definition 31 Consider a Markov chain P on Z which is non-decreasing, ie P(u,v) > 0 only when v u Let X i and Y j denote independent walks starting at states (X 0,Y 0 ) Ω Z Z, for some set of permitted initial states Ω v Z {(v,v)} For fixed ǫ [0,1], the uniform intersection time (ǫ) N and uniform intersection probability U R + are such that i (ǫ) : (1 ǫ)u Pr( j, X i = Y j ) (1 + ǫ)u We do not attempt to show a general existence result for uniform intersection time and probability, as our primary interest is in the Kangaroo method Also, to avoid clutter we write to denote (ǫ) in the remainder A natural approach is to consider an appropriate random variable counting the number of intersections of the two walks owards this, let S N denote the number of times the X i walk intersects the Y j walk in the first N steps, ie S N = 1 { j: Xi =Y j } he second moment method used will involve showing that Pr[S N > 0] is non-trivial for some N Our collision bound will involve the quantity B, an upper bound on the expected number of collisions in the first steps between two independent walks o be precise, define: B = max (X 0,Y 0 ) Ω Pr[ j, X i = Y j ] hen the expected number of steps until a collision can be bounded as follows 4
5 heorem 3 Consider a non-decreasing Markov chain on Z, two independent walks with starting states (X 0,Y 0 ) Ω, and uniform intersection time and probability = (ǫ) and U respectively hen 1 B U(1 + ǫ) E min{i > 0 : j, X i = Y j } (1 4ǫ) 1 If B,ǫ 0 and U 1 then these bounds show that E min{i > 0 : j, X i = Y j } 1 U ( ) 1 + B + U It will prove easiest to study S N by first considering the first and second moments of the number of intersections in steps + 1 to N, ie S N = i=+1 1 { j: Xi =Y j }, in terms of the uniform intersection time and probability: Lemma 33 Under the conditions of heorem 3, if N then (1 ǫ)(n )U E[S N ] (1 + ǫ)(n )U, [ E[SN ] (1 + ǫ) (N ) U B ] (N )U his is a technical lemma and offers little insight into our proof, so it is left for the Appendix We now upper and lower bound the probability of an intersection in the first N steps: Lemma 34 Under the conditions of heorem 3, if N then [ B + (N )U(1 + ǫ) Pr[S N > 0] (1 4ǫ) B ] 1 (N )U Proof Observe that Pr[S N > 0] Pr[S N > 0], so for the lower bound it suffices to consider S N Recall the standard second moment bound: using Cauchy-Schwartz, we have that E[S N ] = E[S N 1 {SN >0}] E[S N] 1/ E[1 {SN >0}] 1/ and hence Pr[S N > 0] E[S N ] /E[SN ] By Lemma 33 then, independent of starting point, ( ) 1 ǫ [ Pr[S N > 0] B ] 1 (1 4ǫ)[ B ] 1, 1 + ǫ (N )U (N )U ( since 1 ǫ 1+ǫ) 1 4ǫ, for ǫ 0 Now to upper bound Pr[S N > 0] Since S N N then Pr[S N > 0] = E[1 SN >0] E[S N ] 5
6 he expectation E[S N ] satisfies E[S N ] = E 1 { j, Xi =Y j } = E[1 { j, Xi =Y j }] = Pr[ j, X i = Y j ] + i=+1 B + (N )U(1 + ǫ) Pr[ j, X i = Y j ] Proof of heorem 3 First, we upper and lower bound Pr[S kn = 0] for every k 1 For l 1, let S (l) N N = 1 { j: X(l 1)N+i =Y j }, so that S (1) N = S N hus Pr[S kn = 0] = Pr[S N = 0]Pr[S N = 0 S N = 0] Pr[S kn = 0 S (k 1)N = 0] k = Pr[S (l) N = 0 S (l 1)N = 0] l=1 By taking X 0 X (l 1)N and Y 0 min{y j : Y j > X (l 1)N }, we may bound: Hence ( [ B + (N )U(1 + ǫ) 1 Pr[S (l) N = 0 S (l 1)N = 0] (1 4ǫ) B ] 1 (N )U 1 (1 4ǫ) [ B ] ) 1 k Pr[S kn = 0] (1 B (N )U(1 + ǫ)) k (N )U hese upper and lower bounds will now be used to bound the collision time First, the upper bound E min{i : S i > 0} = E 1 Si =0 = 1 + Pr[S i = 0] i=0 i=0 Pr[S kn = 0]N ( [ N 1 (1 4ǫ) B ] ) 1 k (N )U k=0 ( = (1 4ǫ) 1 N B ) (N )U (1+B his is minimized when N = + ) U, which gives the upper bound of the theorem k=0 6
7 o show the lower bound, take E min{i : S i > 0} = Pr[S i = 0] i=0 N = N Pr[S kn = 0]N k=1 (1 B (N )U(1 + ǫ)) k k=1 ( ) 1 B + (N )U(1 + ǫ) 1 If B 1 then the bound stated in the theorem is trivial, so assume B < 1 If B (1 B ) < U(1 + ǫ) then the maximum of the above bound is at N = In this case the bound is ( ) 1 E min{i : S i > 0} N 1 1 B B U(1 + ǫ) When B (1 B ) U(1 + ǫ) then the maximum is at N = γ(1 γ) U(1+ǫ), where the quantity γ = B U(1 + ǫ) In this case the bound is E min{i : S i > 0} ( 1 B U(1 + ǫ) U(1 + ǫ) ) (1 B ) U(1 + ǫ) o bound the value of B it will prove easier to consider those intersections that occur early in the Y j walk separately from those that occur later Lemma 35 Let τ be such that whenever (X 0,Y 0 ) Ω then hen Proof Recall that Pr[{X i } {Y j } j>τ ] γ B γ + B = τ (1 + j)max u,v Pj (u,v) j=1 max (X 0,Y 0 ) Ω Pr( j, X i = Y j ) When j > τ then Pr[ j > τ : X i = Y j ] Pr[{X i } {Y j} j>τ ] γ When j τ then Pr[ j τ : X i = Y j ] = j=0 τ τ P i (X 0,v)P j (Y 0,v) j j=1 i=0 v max w,x Pj (w,x)max u τ (1 + j)max w,x Pj (w,x) j=1 7 P i (u,v) v
8 he second inequality follows by letting j denote the larger of the two indices and i the smaller he final equality is because v Pi (u,v) = 1 4 Catching Kangaroos he collision results of the previous section will now be applied to the Kangaroo method he first step in bounding collision time will be to bound the uniform intersection time and probability his will be done by selecting some d of the first steps of the X i walk (for suitable i), and using these to construct a uniformly random d-bit binary string which is independent of the specific step sizes taken on other steps his implies that the X i walk is uniformly distributed over some interval of d elements, and so the probability that some Y j = X i will be exactly the expected number of times the Y j walk visits this interval, divided by the interval size (ie d ) hroughout we take Ω = {(X 0,Y 0 ) : X 0 Y 0 < X 0 + d } Lemma 41 If (X 0,Y 0 ) Ω and i = (d + 1) (1 + log (d + 1)) then Pr( j, X i = Y j ) / 1 b a 3 3 log b a d, ie when ǫ = 3 d then one may take (ǫ) = as above and U = Proof he tame kangaroo will be implemented by choosing k uar {0,1,,d} and then flipping a coin to decide whether to increment by k or k+1 (if k = d then increment by d or 0 ) We say generator k has been chosen if value k was chosen, even though the step size taken may not be k Consider the tame kangaroo For k {0,1,,d 1} let δ k denote the step taken the first time generator k is chosen, so that δ k k uar {0, k } Also, let be the first time all of the generators have been chosen (including d ) Define δ = d 1 k=0 (δ k k ) uar {0,1,, d 1} and let I i denote the sum of all increments except those incorporated in a δ k, so that if i then X i = X 0 + I i + d 1 + δ Suppose i hen δ is independent of the value of I i, and so X i uar [X 0 + I i + d 1,X 0 + I i + d+1 1) Observe that X 0 + I i + d 1 X 0 + d 1 Y 0 Since the average non-zero step size for Y j is (recall d was chosen to guarantee this) then Pr( j, X i = Y j i ) = E {Y j } [X 0 + I i + d 1,X 0 + I i + d+1 1) d d /( 1 b a) d ) d = (1 b a b a log b a Similarly, an upper bound of + d follows by taking ceiling instead of floor Next, consider By the Coupon Collector s problem E( ) = (d + 1)H d+1 where H n = n l=1 l 1 is the n-th harmonic number By Markov s Inequality Pr[ (d + 1)H d+1 ] 1/ and 8
9 so if α = d + 1 then Pr [ α(d + 1)H d+1 ] = α Pr [ l(d + 1)H d+1 (l 1)(d + 1)H d+1 ] l=1 α = (d+1) Since H n ln n n, we get in turn Pr[ > ] (d+1) o finish, Pr[ j, X i = Y j ] = (1 Pr[ > ])Pr[ j, X i = Y j ] +Pr[ > ]Pr[ j, X i = Y j > ] Since all probabilities are in [0,1], and 0 Pr[ > ] (d+1) then Pr[ j, X i = Y j ] Pr[ j, X i = Y j ] (d+1) It remains only to upper bound B his will be shown by breaking up the sum of Lemma 35 into two parts Let κ = 5 d + 1 When j κ then it will be shown that with high probability every step size taken was distinct, in which case the sum of the step sizes is a random (d + 1) bit binary string containing exactly j ones, ie uniform over ( d+1) j possibilities When j > κ then with high probability at least κ distinct step sizes have been chosen, in which case a random κ-bit binary string is extracted as in the proof of Lemma 41 and used to show the maximum probability of a state is at most κ Lemma 4 If = (d + 1) (1 + log (d + 1)) then B = o d (1) Proof his will be shown by applying Lemma 35 o bound P j (u,v) we set X 0 = u and consider X j for j {1,,,τ}, where τ is to be determined later Recall that κ = 5 d + 1 First suppose 1 j κ Assume d so that j < d + 1 Implement the kangaroo walk in the obvious way, ie choose k {0,1,,d} and increment by k Let E denote the event that all j increment sizes were distinct hen Pr[E] = (d + 1)d (d + j) (d + 1) j ( ) d + j j 1 d + 1 j(j 1) d + 1 because (1 x) n 1 nx if x [0,1] and n N hen max v P j (u,v) = max Pr[X j = v] v = max Pr[E]Pr[X j = v E] + Pr[E]Pr[X j = v E] v 1 1 ( d+1 j ) + (1 Pr[E]) 1 1 j(j 1) + 4(d + 1) 3/5 d + 1 d + 1 If d = 1 then trivially P j (u,v) 4(d + 1) 3/5 64 hen κ j=1 (j + 1)max P j (u,v) (1 + κ) 4(d + 1) 3/5 = o d (1) v 9
10 Before calculating the remaining terms in the sum, a value for τ in Lemma 35 is needed Note that trivially X X 0 + d Let Y be a random increment of the Y walk hen ] Pr [ Y d = 1 + log (d + 1) d + 1 d + 1 A Chernoff bound can be used here If j (d+1) 1+log (d+1) the expected number of steps of size at least d d+1 is µ = (d + 1) so that E[Y j X 0 ] E[Y j Y 0 ] d With δ = 1/ then Pr[Y j X 0 + d ] e µδ / e 4(d+1)3 (1+log (d+1))/8 (d+1) It thus suffices to take τ = (d+1) 1+log (d+1) = 4(d + 1)4, with γ = (d+1) and γ = o d (1) Finally, suppose κ < j τ Implement the kangaroo walk as in the proof of Lemma 41, and likewise assume the same terminology Let S denote the set of distinct generators that have been chosen excluding d, so that S d, and observe that k S (δ k k ) uar { S elements}, so that if I j is the sum of all increments except those used the first time an element of S was chosen then Pr[X j = v S, I j ] S It follows that Pr[X j = v S ] S Hence, if E denotes the event that κ or fewer distinct generators have been chosen, so that E implies S κ, then max u,v Pj (u,v) Pr[E] 1 + Pr[E] 1 κ ( )( ) d + 1 κ j κ d + 1 κ (d + 1) κ (d + 1) 4j/5 + κ (d + 1) 3 5 κ + κ It follows that τ j=κ+1 ( (1 + j)max u,v Pj (u,v) (1 + τ) (d + 1) 3 5 κ + κ) = o d (1) We can now prove the main result of the paper Proof of heorem 11 Note that the group elements g (k) can be pre-computed, so that each step of a kangaroo requires only a single group multiplication As discussed in the heuristic argument of Section, an average of X 0 Y 0 / steps are needed to put the smaller of the starting states (eg X 0 < Y 0 ) within d of the one that started ahead If the Distinguished Points are randomly distributed then the heuristic for these points is again correct If instead they are roughly constantly spaced and c = Ω(d log d) then observe that in the proof of Lemma 41 it was established that after = (ǫ) = (d + 1) (1 + log (d + 1)) steps the kangaroos will be nearly uniformly random over some interval of length d+1 = 1 b alog b a, so if the Distinguished Points are uniformly distributed and cover a average of c such samples are needed, which amounts to 10 c fraction of vertices then an c = o(1) b a extra steps
11 It remains to make rigorous the claim regarding p 1 In the remainder we may thus assume that X 0 Y 0 d 3 ake ǫ = log b a 3 d By Lemma 41 the uniform intersection time is = (ǫ) = (d + 1) (1 + log (d + 1)) with uniform intersection probability U = b a, while by Lemma 4 also B = o(1) he upper bound of heorem 3 is then ( 1 + o(1)) b a he lower bound of heorem 3 is then ( 1 o(1)) b a Acknowledgments he authors thank Dan Boneh for encouraging them to study the Kangaroo method References [1] D Boneh, Private Communication [] D Boneh and X Boyen, Short Signatures Without Random Oracles, Proc of Eurocrypt 004, LNCS 307, pp (004) [3] J-H Kim, R Montenegro, Y Peres and P etali, A Birthday Paradox for Markov chains, with an optimal bound for collision in the Pollard Rho Algorithm for Discrete Logarithm, Proc of the Algorithmic Number heory Symposium (ANS-VIII), Springer LNCS 5011, pp (008) [4] PC van Oorschot and MJ Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology, vol 1 no 1, pp 1 8 (1999) [5] J Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, vol 3 no 143, pp (1978) [6] J Pollard, Kangaroos, Monopoly and Discrete Logarithms, Journal of Cryptology, vol 13 no 4, pp (000) [7] E eske, Square-root Algorithms for the Discrete Logarithm Problem (A Survey), in Public- Key Cryptography and Computational Number heory, Walter de Gruyter, Berlin - New York, pp (001) Appendix he proof of Lemma 33 was left to the Appendix: Proof he expectation E[S N ] satisfies E[S N ] = E i=+1 1 j, Xi =Y j = i=+1 E[1 j, Xi =X j ] (N )U(1 ǫ) (1) he inequality is because E[1 j, Xi =X j ] = Pr[ j, X i = X j ] he upper upper bound follows by taking (1 + ǫ) in place of (1 ǫ) 11
12 Now for E[SN ] Note that E[S N] = E = ( N i=+1 k=+1 i=+1 k=+1 1 j, Xi =Y j 1 l, Xk =Y l ) Pr( j,l : X i = Y j, X k = X l ) By symmetry it suffices to consider the case that k i > Also, observe that if X i = Y j then X k = Y l is possible only if l j, because the X and Y walks proceed in the positive direction on the integer line When k > i + then Pr( l, X k = Y l X i = Y j ) U(1 + ǫ) by definition of, and so When k i + then i+ k=i+1 since i It follows that ( E[S N ] = Pr( j,l : X i = Y j, X k = Y l ) = Pr( j : X i = Y j )Pr( l, X k = Y l X i = Y j ) (1 + ǫ) U Pr( j,l : X i = Y j, X k = Y l ) Pr( j : X i = Y j )max u B U(1 + ǫ), N i=+1 + Pr( l, X k = Y l X 0 = Y 0 = u) k=1 Pr( j : X i = Y j ) + i=+1 k=i+ +1 i+ k=i+1 Pr( j,l : X i = Y j, X k = X l ) Pr( j,l : X i = Y j, X k = X l ) (1 + ǫ)u(n )(1/ + B ) + (1 + ǫ) U (N )(N + 1) ] (1 + ǫ) U (N ) [1 1 + B + (1 + ǫ)u(n ) ) 1
How Long Does it Take to Catch a Wild Kangaroo?
Ho Long Does it Take to Catch a Wild Kangaroo? Ravi Montenegro Prasad Tetali ABSTRACT The discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationComputing Discrete Logarithms. Many cryptosystems could be broken if we could compute discrete logarithms quickly.
Computing Discrete Logarithms Many cryptosystems could be broken if we could compute discrete logarithms quickly. The first discrete logarithm algorithms below apply in any group. They are about the best
More informationA Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups
A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationCOMPUTING DISCRETE LOGARITHMS IN AN INTERVAL
COMPUTING DISCRETE LOGARITHMS IN AN INTERVAL STEVEN D. GALBRAITH, JOHN M. POLLARD, AND RAMINDER S. RUPRAI Abstract. The discrete logarithm problem in an interval of size N in a group G is: Given g, h G
More informationBounds on Birthday Attack Times
Bounds on Birthday Attack Times Michael J Wiener 20 Hennepin St, Nepean, Ontario, Canada K2J 3Z4 michaelwiener at sympaticoca 2005 September 8 Abstract We analyze a generic birthday attack where distinct
More informationSignatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven
Signatures and DLP-I Tanja Lange Technische Universiteit Eindhoven How to compute ap Use binary representation of a to compute a(x; Y ) in blog 2 ac doublings and at most that many additions. E.g. a =
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationMultiple Discrete Logarithm Problems with Auxiliary Inputs
Multiple Discrete Logarithm Problems with Auxiliary Inputs Taechan Kim NTT Secure Platform Laboratories, Japan taechan.kim@lab.ntt.co.jp Abstract. Let g be an element of prime order p in an abelian group
More informationPUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS
PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationPollard s Rho Algorithm for Elliptic Curves
November 30, 2015 Consider the elliptic curve E over F 2 k, where E = n. Assume we want to solve the elliptic curve discrete logarithm problem: find k in Q = kp. Partition E into S 1 S 2 S 3, where the
More informationCSE 190, Great ideas in algorithms: Pairwise independent hash functions
CSE 190, Great ideas in algorithms: Pairwise independent hash functions 1 Hash functions The goal of hash functions is to map elements from a large domain to a small one. Typically, to obtain the required
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationA PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS
A PUBLIC-KEY THRESHOLD CRYPTOSYSTEM BASED ON RESIDUE RINGS STEPHANIE DEACON, EDUARDO DUEÑEZ, AND JOSÉ IOVINO Abstract. We present a generalization of Pedersen s public-key threshold cryptosystem. Pedersen
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationAN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION
Serdica J. Computing 3 (2009), 309 38 AN OBSERVATION ABOUT VARIATIONS OF THE DIFFIE-HELLMAN ASSUMPTION Raghav Bhaskar, Karthekeyan Chandrasekaran, Satyanaryana V. Lokam, Peter L. Montgomery, Ramarathnam
More informationComputing Elliptic Curve Discrete Logarithms with the Negation Map
Computing Elliptic Curve Discrete Logarithms with the Negation Map Ping Wang and Fangguo Zhang School of Information Science and Technology, Sun Yat-Sen University, Guangzhou 510275, China isszhfg@mail.sysu.edu.cn
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationA Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations
A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations James A. Muir School of Computer Science Carleton University, Ottawa, Canada http://www.scs.carleton.ca/ jamuir 23 October
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationDigital Signature Scheme Based on a New Hard Problem
Computer Science Journal of Moldova, vol.16, no.2(47), 2008 Digital Signature Scheme Based on a New Hard Problem Niolay A. Moldovyan Abstract Factorizing composite number n = qr, where q and r are two
More information14.1 Finding frequent elements in stream
Chapter 14 Streaming Data Model 14.1 Finding frequent elements in stream A very useful statistics for many applications is to keep track of elements that occur more frequently. It can come in many flavours
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationNAVAL POSTGRADUATE SCHOOL THESIS
NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS AN ANALYSIS OF ALGORITHMS FOR SOLVING DISCRETE LOGARITHMS IN FIXED GROUPS by Joseph Mihalcik March 2010 Thesis Advisor: Second Reader: Dennis Volpano
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationRandom Variable. Pr(X = a) = Pr(s)
Random Variable Definition A random variable X on a sample space Ω is a real-valued function on Ω; that is, X : Ω R. A discrete random variable is a random variable that takes on only a finite or countably
More informationA Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. XX, NO. X, MONTH 2007 1 A Simple Left-to-Right Algorithm for Minimal Weight Signed Radix-r Representations James A. Muir Abstract We present a simple algorithm
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLimits on the Efficiency of One-Way Permutation-Based Hash Functions
Limits on the Efficiency of One-Way Permutation-Based Hash Functions Jeong Han Kim Daniel R. Simon Prasad Tetali Abstract Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF)
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More information10 Generic algorithms for the discrete logarithm problem
18.783 Elliptic Curves Lecture #10 Spring 2017 03/13/2017 10 Generic algorithms for the discrete logarithm problem We now consider generic algorithms for the discrete logarithm problem in the standard
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationSolution Set for Homework #1
CS 683 Spring 07 Learning, Games, and Electronic Markets Solution Set for Homework #1 1. Suppose x and y are real numbers and x > y. Prove that e x > ex e y x y > e y. Solution: Let f(s = e s. By the mean
More informationSummation polynomials and the discrete logarithm problem on elliptic curves
Summation polynomials and the discrete logarithm problem on elliptic curves Igor Semaev Department of Mathematics University of Leuven,Celestijnenlaan 200B 3001 Heverlee,Belgium Igor.Semaev@wis.kuleuven.ac.be
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationRandom Small Hamming Weight Products with Applications to Cryptography
Random Small Hamming Weight Products with Applications to Cryptography Jeffrey Hoffstein, Joseph H. Silverman NTRU Cryptosystems, Inc., 5 Burlington Woods, Burlington, MA 01803 USA, jhoff@ntru.com, jhs@ntru.com
More informationThe Markov Chain Monte Carlo Method
The Markov Chain Monte Carlo Method Idea: define an ergodic Markov chain whose stationary distribution is the desired probability distribution. Let X 0, X 1, X 2,..., X n be the run of the chain. The Markov
More informationComputing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring
Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring Alexander May Faculty of Computer Science, Electrical Engineering and Mathematics University of Paderborn 33102 Paderborn,
More informationEx1 Ex2 Ex3 Ex4 Ex5 Ex6
Technische Universität München (I7) Winter 2012/13 Dr. M. Luttenberger / M. Schlund Cryptography Endterm Last name: First name: Student ID no.: Signature: If you feel ill, let us know immediately. Please,
More informationone eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th
Exposing an RSA Private Key Given a Small Fraction of its Bits Dan Boneh Glenn Durfee y Yair Frankel dabo@cs.stanford.edu gdurf@cs.stanford.edu yfrankel@cs.columbia.edu Stanford University Stanford University
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationCounting Prime Numbers with Short Binary Signed Representation
Counting Prime Numbers with Short Binary Signed Representation José de Jesús Angel Angel and Guillermo Morales-Luna Computer Science Section, CINVESTAV-IPN, Mexico jjangel@computacion.cs.cinvestav.mx,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More information1 Probability Review. CS 124 Section #8 Hashing, Skip Lists 3/20/17. Expectation (weighted average): the expectation of a random quantity X is:
CS 24 Section #8 Hashing, Skip Lists 3/20/7 Probability Review Expectation (weighted average): the expectation of a random quantity X is: x= x P (X = x) For each value x that X can take on, we look at
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationA NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT
A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT Abderrahmane Nitaj 1 and Mohamed Ould Douh 1,2 1 Laboratoire de Mathématiques Nicolas Oresme, Université de Caen, Basse Normandie, France Université
More informationLecture 10 - MAC s continued, hash & MAC
Lecture 10 - MAC s continued, hash & MAC Boaz Barak March 3, 2010 Reading: Boneh-Shoup chapters 7,8 The field GF(2 n ). A field F is a set with a multiplication ( ) and addition operations that satisfy
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationNew Attacks on the Concatenation and XOR Hash Combiners
New Attacks on the Concatenation and XOR Hash Combiners Itai Dinur Department of Computer Science, Ben-Gurion University, Israel Abstract. We study the security of the concatenation combiner H 1(M) H 2(M)
More informationLecture 4: Two-point Sampling, Coupon Collector s problem
Randomized Algorithms Lecture 4: Two-point Sampling, Coupon Collector s problem Sotiris Nikoletseas Associate Professor CEID - ETY Course 2013-2014 Sotiris Nikoletseas, Associate Professor Randomized Algorithms
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationComplexity Analysis of a Fast Modular Multiexponentiation Algorithm
Complexity Analysis of a Fast Modular Multiexponentiation Algorithm Haimin Jin 1,, Duncan S. Wong, Yinlong Xu 1 1 Department of Computer Science University of Science and Technology of China China jhm113@mail.ustc.edu.cn,
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationA new attack on RSA with a composed decryption exponent
A new attack on RSA with a composed decryption exponent Abderrahmane Nitaj and Mohamed Ould Douh,2 Laboratoire de Mathématiques Nicolas Oresme Université de Caen, Basse Normandie, France abderrahmane.nitaj@unicaen.fr
More informationCell-Probe Lower Bounds for Prefix Sums and Matching Brackets
Cell-Probe Lower Bounds for Prefix Sums and Matching Brackets Emanuele Viola July 6, 2009 Abstract We prove that to store strings x {0, 1} n so that each prefix sum a.k.a. rank query Sumi := k i x k can
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More information6.1 Occupancy Problem
15-859(M): Randomized Algorithms Lecturer: Anupam Gupta Topic: Occupancy Problems and Hashing Date: Sep 9 Scribe: Runting Shi 6.1 Occupancy Problem Bins and Balls Throw n balls into n bins at random. 1.
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationRandomized Algorithms
Randomized Algorithms Prof. Tapio Elomaa tapio.elomaa@tut.fi Course Basics A new 4 credit unit course Part of Theoretical Computer Science courses at the Department of Mathematics There will be 4 hours
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationLecture 12: Lower Bounds for Element-Distinctness and Collision
Quantum Computation (CMU 18-859BB, Fall 015) Lecture 1: Lower Bounds for Element-Distinctness and Collision October 19, 015 Lecturer: John Wright Scribe: Titouan Rigoudy 1 Outline In this lecture, we will:
More informationCS259C, Final Paper: Discrete Log, CDH, and DDH
CS259C, Final Paper: Discrete Log, CDH, and DDH Deyan Simeonov 12/10/11 1 Introduction and Motivation In this paper we will present an overview of the relations between the Discrete Logarithm (DL), Computational
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationFoundations of Cryptography
- 111 - Foundations of Cryptography Notes of lecture No. 10B & 11 (given on June 11 & 18, 1989) taken by Sergio Rajsbaum Summary In this lecture we define unforgeable digital signatures and present such
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationA Composition Theorem for Universal One-Way Hash Functions
A Composition Theorem for Universal One-Way Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information